Security is at the forefront of our solution and employs a multi-layered approach to ensure maximum security. These layers include:
- Validated Identity: A customer using the mobile solution must enroll his mobile device with the financial institution (FI) offering the service. The point of enrollment provides the mechanism to authenticate the customer before enrolling the mobile phone number, thereby establishing a "trusted path" of communication between the FI and its customer. Once a customer is authenticated, the mobile device is uniquely identified and associated with the customer. This important relationship is maintained as part of the customer's mobile profile in our solution.
- Multifactor Authentication: The transaction-level, multifactor authentication system is designed to meet and exceed FFIEC requirements. "Something I have" (the first factor) is the enrolled mobile device itself. "Something I know," (the second factor) would be a PIN number or a onetime password. This authorization can occur out-of-band for an additional level of security.
- Escalating Authentication: Automatic, escalated authentication or authorization are supported. Higher-risk transactions, such as transfers over a FI-specified or customer-specified threshold amount or between specific accounts, take advantage of this escalation.
- Out-of-Band Authentication: For added security, escalated authentication can cross communication channels to perform out-of-band verification of a transaction. Depending on the use case, this dial-back may use an outbound IVR call requesting a PIN, a WAP push message sent to accept a PIN or password in an SSL-secured connection, a voice call from a customer service representative or a secure push notification (e.g. Apple iPhone APNS).
- Anti-Tampering Technology: By definition, the mobile web server is open to the Internet and must be protected from attacks. The solution always uses encrypted HTTPS sessions and further increases security with its sophisticated anti-tampering technology, including:
- SMS "Dial-Back"
- Apple Push Notification Service
- Message Authentication Codes (MACs)
- URL Parameter Validation
- Form Data Validation
- Session ID Timeout
- Delegated Authentication: The FI can opt for the platform to delegate authentication to the FI's existing authentication system. This is a good practice when the FI has centralized control over the customer's credentials, including password policies and procedures for managing lost credentials.
- Extended Authentication: Integration with risk-based authentication systems in place at the FI, such as RSA/Passmark and Voyager IA is enabled. This provides stronger device identification and mutual authentication to assure the customer that he is connected to the FI's website rather than a phishing site.
- Confidential Data Protected: Confidential data is never transmitted or stored on customer devices, ensuring that all private information sent shields personal details. Customer-defined nicknames, masked account numbers and other security measures ensure that the device never contains more information than can be found on a typical ATM receipt.
- Encryption: Encryption is implemented throughout the platform. For all data in flight, multiple encryption techniques, including SSL, HTTPS and WS-Security are utilized. All operations and transactions conducted in the Clairmail solution are logged beginning-to-end and migrated to a reporting database in order to provide a complete audit trail.